Stay in Compliance: What Marketers Need to Know About ePrivacy Law

Email Marketing


If you capture and use customer data as part of your marketing process, legal compliance should be one of your top concerns. That said, ePrivacy laws – especially if you’re marketing across multiple countries, each with varying legislative requirements – can be a challenge to keep straight.

Marketo recently hosted a webinar on this very subject, called ePrivacy Law Marketers Need to Know. Our goal is to help you to better understand the impact of legislation on your day-to-day marketing processes (especially email marketing) and to help marketers stay compliant with ePrivacy law.

Judging from the volume of questions from our webinar attendees, this topic is certainly front-of-mind for most marketers. To answer some of the most pressing questions, we’re turning this blog post over to Duncan Smith (CEO, iCompli) and Autum Tyr-Salvia (Email Strategy and Compliance Analyst, Marketo) for their input.

Q. Would you agree that building trust requires us (organisations) to have a very clear purpose for collecting the data, and to be able to clearly express that purpose to our customers? 

DUNCAN: Yes.  If you find yourself saying “We can’t tell them what we do with data; they’d run a mile!”, then the chances are you shouldn’t be collecting that data anyway.  The more aggressive your use of data, the greater the benefit needs to be. Transparency will be a ‘buzz’ word in the new General Data Protection Regulation.

Q. When you purchase data lists, how can you be sure that you have necessary consents?

DUNCAN:  Bought-in lists do present problems – and you are responsible for solving them! For the UK, there is the List Warranty Register, which is a good starting point. The best practice is to always ask the provenance of the data – where did it come from, and for what purpose was it collected? Ask to see the privacy policy that was used to inform those on the list how their data would be used.

Q. How can you best ensure that you keep personal data accurate and up to date?
DUNCAN: At iCompli, we like to go back to individuals and ask them! Even if you don’t have permission to market to them, you can still contact them to assess the validity of the data.  Just don’t allow any marketing scope to creep in – keep it contractual, and DO make it easy for them to amend/add data.

Q. What is the state of the “Do Not Track” browser setting?

AUTUMN: I wouldn’t call it exactly dead, but the internal wars over this have made this setting less and less relevant. The biggest consideration for marketers here is that your privacy policy should state whether you respect this setting or not, to be in compliance with California law (should a Californian happen to visit your website). That said, given the enhanced privacy awareness in the EU, respecting this browser setting is likely to be good public relations when dealing with EU users.

Q. What should marketers do to be prepared for Canada’s Anti-Spam Legislation (CASL)?

AUTUMN: To be prepared for CASL, you should carefully record all opt-in data. Also, you should add separate opt-in checkboxes to all marketing forms that are not pre-checked.

Q. In the EU we have seen the emergence of self-certify “Trust Me” icons. Do you think that these are effective and consumers understand what the icons mean?

DUNCAN: The jury’s out! There is quantitative evidence that these badges do engender trust, but often for the wrong reasons. Test your market and ask what they consider to be a sign of trust. A word of caution: there is a lot of ‘snake oil’ out there at the moment.

Q. Is collecting a person’s business card (e.g. at a tradeshow) enough ‘opt in’ to start emailing a person in Europe?

DUNCAN: It depends. If they handed it to you during a conversation, then yes – but ensure you record where and when you got the business card. Then, you should consider how long you can use the data for, according to EU law.

On the other hand, if they put their business card in a ‘rose bowl’ champagne prize draw, then technically this is not enough ‘opt in’ to start emailing the person.  While we all may know what prize draws are about, the card giver may not have knowingly given consent.

Q. ePrivacy is a big challenge for SME’s who are still getting their heads around new methods (technology or otherwise) of engaging with their customers. Are there sources of sample permissions available that can help businesses obtain data with a reasonable level of scope for innovation?

DUNCAN: It is a challenge but you don’t always have to know the law to comply! Privacy law is based on precepts like being decent, truthful, honest, and transparent, and on giving your market plenty of choices. If you design your data acquisition strategies to be all these things, there’s a very good chance you will be compliant.

Q. What is the best approach to managing the disparity between the legislative requirements of various countries?

DUNCAN:  The new EU General Data Protection Regulation is moving us all towards a more German-like position – particularly regarding consent to market to individuals. Think about prominence, transparency, and genuine choice. Remember, the US still has predominantly opt-out legislation whilst the UK and the EU has adopted an opt-in approach.

AUTUMN: Looking at email marketing, the key requirement with unsolicited email in the UK B2B world is that the message must have functional unsubscribe, and must be directly relevant to the job function of the individual contacted. That said, I still advise only opt-in email, because this protects you no matter what.

Want to learn more? You can watch our on-demand webinar for lots more expert opinion and guidance on this hot topic!

Got questions around legislation and regulation? Either post a question below, or tweet the experts directly! You can reach Duncan (CEO, iCompli) at @Duncan_iCompli and Autumn (Email Strategy and Compliance Analyst, Marketo) at @aceofemail .

Please keep in mind: we aren’t lawyers — we’re marketers. The best way to ensure that your marketing is in compliance is to consult an attorney who specializes in ePrivacy law.